Google Warns of New Cyberattack on Android and Windows – One Thing That’s Stopping It

Security researchers from Google’s renowned threat intelligence team, along with threat intelligence specialists from Mandiant, have confirmed suspected Russian espionage and a dual attack on Android and Windows users. Here’s what we know so far.

What do we know about the UNC5812 cyberattack?

The UNC5812 cyberattack was discovered by Google TAG and Mandiant in September 2024 and appears to be a hybrid espionage and influence operation carried out by Russian attackers. Using a Telegram account identified as “Civil Defense”, threat intelligence analysts said the campaign was used to distribute malware to Android and Windows users under the guise of a free software provider. The nature of this free software is aimed directly at people. is looking for potential conscript recruiters in Ukraine. The distribution channel is carried out both through the malicious Civil Defense Telegram channel and through the website of the same name. The activation of the Telegram channel in September is believed to have marked the start of the operation. The website domain was registered earlier in April.

ForbesNew Cyber ​​Attack Warning: Proving You’re Not a Robot Can Be DangerousTO Davey Winder

The malware itself is operating system specific and comes with a decoy application that pretends to be a mapping tool for the aforementioned recruitment locations. “UNC5812 is also actively engaged in influence activities,” a Google TAG spokesperson said, “sharing narratives and soliciting content aimed at undermining support for Ukraine’s mobilization efforts.” It is believed that UNC5812 attackers are buying promoted posts in legal and existing Ukrainian-language Telegram channels in order to further spread the influence operation. Threat intelligence suggests the operation is still ongoing, as as recently as October 8, a Ukrainian-language news channel was seen promoting these posts. “The campaign is likely still actively seeking new Ukrainian-speaking communities to target,” Google TAG researchers say.

Target of Russian spy cyberattack

The goal of the Telegram campaign itself is to convince victims to go to a website where they can download various malware for Android and Windows operating systems. Meanwhile, Android users are being attacked by a commercially available backdoor application known as craxstat. Google TAG analysts stated that the site itself supports both iOS and malware for macOSbut none of this useful data was available during the analysis operation.

ForbesNSA advises iPhone and Android users: Reboot your device nowTO Davey Winder

So, how can you avoid falling into the trap of this latest threat campaign if you have become a target and reached the malware distribution phase? Make sure you’re using Google Play Protect, Google TAG researchers say. UNC5812 members went to great lengths to convince Android users that they should install the app outside of the App Store and its security, including justifying the extensive list of required user permissions, mainly to protect the user’s security and anonymity. ironic.

“The UNC5812 Civil Defense website specifically includes social engineering content and detailed video instructions on how the target user should disable Google Play Protect,” Google TAG said. “Safe Browsing also protects Chrome users on Android by showing them warnings before visiting dangerous sites. » Google’s app scanning infrastructure protects Google Play and provides support for Verify apps to further protect users who might be victims of a cyberattack like this with apps installed outside of Google Play itself.